TY - GEN
T1 - A multiple regular expressions matching architecture for network intrusion detection system
AU - Zhang, Wei
AU - Song, Tian
AU - Wang, Dongsheng
PY - 2008
Y1 - 2008
N2 - Regular expressions are increasingly used in network security applications. Multiple regular expressions matching is one of the most important performance bottlenecks in those systems. This paper proposes a new hardware-based multiple regular-expressions matching architecture, called MRM, for network intrusion detection system. It shows that traditional algorithm, such as AC, has to face the serious spatial explosion problem when simultaneously detecting a large number of regular expressions because of constrained repetitions. MRM utilizes hardware RAM modules to share matching signals and exploits hardware register counting to implement constrained repetitions. This paper also proposes a software compiler to construct the hardware architecture and generate information in MRM's RAMs for the given regular expressions. Experiments in actual snort and bro regular expression sets show that MRM can achieve the high throughput of 2.1Gbps and 2.8Gbps on Virtex2 and Virtex4 devices respectively.
AB - Regular expressions are increasingly used in network security applications. Multiple regular expressions matching is one of the most important performance bottlenecks in those systems. This paper proposes a new hardware-based multiple regular-expressions matching architecture, called MRM, for network intrusion detection system. It shows that traditional algorithm, such as AC, has to face the serious spatial explosion problem when simultaneously detecting a large number of regular expressions because of constrained repetitions. MRM utilizes hardware RAM modules to share matching signals and exploits hardware register counting to implement constrained repetitions. This paper also proposes a software compiler to construct the hardware architecture and generate information in MRM's RAMs for the given regular expressions. Experiments in actual snort and bro regular expression sets show that MRM can achieve the high throughput of 2.1Gbps and 2.8Gbps on Virtex2 and Virtex4 devices respectively.
KW - Intrusion detection
KW - Pattern matching
KW - Regular expression matching
UR - http://www.scopus.com/inward/record.url?scp=58049183099&partnerID=8YFLogxK
U2 - 10.1109/CHINACOM.2008.4685118
DO - 10.1109/CHINACOM.2008.4685118
M3 - Conference contribution
AN - SCOPUS:58049183099
SN - 9781424423736
T3 - 3rd International Conference on Communications and Networking in China, ChinaCom 2008
SP - 687
EP - 691
BT - 3rd International Conference on Communications and Networking in China, ChinaCom 2008
T2 - 3rd International Conference on Communications and Networking in China, ChinaCom 2008
Y2 - 25 August 2008 through 27 August 2008
ER -